search
Extra Notes

Hacker101 CTF {Micro-CMS-v1}

hashtag
CHALLENGE DESCRIPTION

Hacker101 CTF is a game designed to let you learn to hack in a safe, rewarding environment. Hacker101 is a free educational site for hackers, run by HackerOne. This CTF is another integral component in our plans to make the world a better place, one bug at a time

hashtag
Challenge Information

  • Category: Web

  • Difficulty: Very Easy

  • Objective: Exploit web vulnerabilities to retrieve the flag.

  • Tag : IDOR , XSS, SQLi

hashtag
Identifying Functionality

Upon accessing the Micro-CMS-v1 website, the following functionalities were observed:

  • Testing Page (/page/1) – Sample page already created.

  • Markdown Page (/page/2) – A sample markdown page has already been created.

  • Edit(/page/edit/{id}) – To edit page.

  • Create Page (/page/create) – Create new page with Title and Content.

Landing page once visiting the URL
Testing Page /page/1
Edit page for /page/edit/2
Create Page /page/create

hashtag
SOLUTION

hashtag
IDOR

hashtag
Vulnerability Analysis

  • The edit page was vulnerable to IDOR due to improper access control.

  • The application used sequential numerical IDs, allowing an attacker to manipulate them.

  • By modifying the id parameter, an attacker could edit another user's page, leading to unauthorized content changes and potential data leaks.

hashtag
Exploitation Steps

  1. Navigate to the /page/{id} and /page/edit/{id}.

/page/1

  1. Change the ID to another number. Examples 1 and 2.

/page/edit/2

  1. The attacker can view and edit another user’s content if unauthorized access is granted.

/page/edit/6

  1. This confirms the IDOR vulnerability, allowing unauthorized modifications.

hashtag
SQL Injection

hashtag
Vulnerability Analysis

  • The edit page was vulnerable to SQL Injection due to unsanitized user input being directly inserted into SQL queries.

  • This allowed attackers to manipulate database queries, retrieve sensitive information, and modify stored records.

hashtag
Exploitation Steps

  1. Navigate to the edit endpoint /page/edit/{id}.

  2. Inject a basic SQL Testing Payload into /page/edit/{id}'

/page/edit/1'

  1. If successful, unauthorized data is retrieved

hashtag
Stored XSS

hashtag
Vulnerability Analysis

  • The page creation and editing functionalities (/page/create, /page/edit/{id}) were vulnerable to Stored Cross-Site Scripting (XSS).

  • Malicious JavaScript could be injected into the Title field.

  • Whenever another user viewed the affected page, the script would execute, leading to session hijacking and credential theft.

hashtag
Exploitation Steps

  1. Navigate to the page creation/page/create.

/page/create

  1. Submit a Testing Payload in the Title and Content Field.

Sample XSS script being used.

  1. When another user views the page, it will trigger the script.

Proof of XSS being trigger

hashtag
Reflected XSS

hashtag
Vulnerability Analysis

  • The page creation and editing functionalities (/page/create, /page/edit/{id}) were vulnerable to Reflected Cross-Site Scripting (XSS).

  • Malicious JavaScript could be injected into the Content field.

  • When a victim clicks the button, the script is executed.

hashtag
Exploitation Steps

  1. Navigate to the page creation/page/create.

  2. Inject a malicious payload into the button element.

/page/create

  1. If the application does not sanitize input, clicking the button triggers the JavaScript execution

XSS being trigger

  1. When the victim clicks the button, the flag is reflected in the Dev-Tools, confirming the Reflected XSS vulnerability

Reflected Flag in Source Code

Last updated